Read time: 3 minutes

PPI Act faces security hurdles

Though the Protection of Personal Information (PPI) Act is meant to be a gatekeeper of personal information, it won't be simple to implement.

This is according to Alan Rehbock, sales and marketing director of Magix Security, a speaker at the ITWeb Security Summit, to be held at the Sandton Convention Centre from 10 to 12 May.

“The Act is a call to action for business,” says Rehbock. “It defines that companies will need to take stock of all information an organisation possesses and how that information moves in and out of the business and who has access to that information.”

Rehbock explains that the proliferation of mobile devices storing sensitive business information and carrying information outside the organisation means businesses need to implement policies to manage this.

Information in the form of instant messaging, e-mails, contact information and information on the Web will also need to be managed. This, he says, is not an easy feat.

“If data has been compromised or breached, the Act says there's an onus for the company to notify the regulator of that fact. This will provide additional challenges to businesses.”

He adds: “My suggestion is for business to take an approach that takes cognisance of the eight principles defined in the Act, and to automate the process to locate and classify the data. The data then needs to be inspected again with further classification and controls to prevent the leakage of confidential information.”

Rehbock points out that there is no single solution that can manage the whole data environment, but organisations can manage the people within the organisation, the technology and automate processes.

He says the sectors most impacted will be insurance and financial companies, healthcare organisations, telcos, government and HR departments.

Xhead = Policing data loss

“Many organisations are starting to appoint a risk and compliance officer to ensure the company complies with every instance of the PPI Act.” He adds that it comes down education and training of staff of how information needs to be protected.

“The most common mistake is that there is no real understanding of the requirements of the Act. I think there's still a long way to go before businesses realise the importance of personal information.”

Rehbock explains that organisations will no longer be able to sell their databases to other companies, once the Act is signed into law.

“New recruits need to be trained on the policy and information security requirements of the organisation. But this will be difficult to enforce because a staff member can take a photograph of a private document with their cellphone and then SMS it.”

Xhead = Not ready

ITWeb recently launched the PPI Act Survey that questions whether South African organisations fully understand the law, and if they are ready to comply with the legislation once it gets enacted.

Dean Chivers, director of tax and legal affairs of Deloitte, previously said he believes the Act will affect all companies to some extent, but will have the biggest impact on companies engaging in significant amounts of direct marketing, as well as those whose business involves dealing with personal information, such as in the insurance and health sectors.

Chivers states: “Electronic communication will be significantly affected. Direct marketing sent electronically will be affected, as will electronic security. Archiving will also need to be restructured, as personal information can't be archived indefinitely and reporting on personal information stored will be necessary.”

Xhead = Strict implications

The PPI Act was submitted to the justice minister in 2009 and has faced several delays due to drafts and public feedback. It aims to promote the protection of personal information processed by public and private bodies.

The legislation seeks to establish minimum requirements for the processing of personal information and aims to establish an information protection regulator.

Non-compliance with the provisions of the Act may result in criminal fines, civil liability and complaints to the regulator.

ITWeb's Security Summit 2011 More information about the ITWeb's Security Summit 2011, which takes place from 10 to 12 May, at the Sandton Convention Centre, is available online here.